Thousands of files on the Ministry of Social Development's computer servers, including the personal details of at-risk children, have been accessed through a Wellington Work and Income jobseeker kiosk.
Journalist and blogger Keith Ng described how he went into a Work and Income (WINZ) office and used a self-service kiosk, normally used to look at job vacancies, to access up to 3500 files on the agency's server, "just using the Open File dialogue in Microsoft Office".
Mr Ng said the files were PDF copies of ministry files and he has posted screen shots of what he found online.
He said on Sunday night on Public Address he had managed to view an invoice to a community group who had supported a family after their family member attempted suicide,including the person's name, invoices relating to children in Child Youth and Family (CYF) care, including addresses, sensitive client case notes, the names of candidates for adoption and passwords in plain text.
Mr Ng said all information he had obtained would be handed to the Privacy Commissioner and he had sought advice from a media law expert prior to publication on the blog.
Mr Ng believed self-service kiosks at all WINZ offices will have the same lack of security.
"All the kiosk computers at all branches are identical virtual computers, they are copies of the same computer, basically," he said.
Mr Ng said he did not need to prove he was registered with WINZ in order to use the kiosks - "it's a self-service kiosk, anyone can just walk up".
The security breach comes just a week after Social Development Minister Paula Bennett announced the Government will work to "better share" information on vulnerable children.
It is planned this will include notifications to CYF, hospital admissions and concerns of community providers or teachers.
Labour's Social Development spokeswoman Jacinda Ardern said the security breach was "nothing short of staggering".
Ms Ardern said the information shown by Mr Ng had "exposed a massive weakness".
"There are vulnerable kids involved here, right at the time when the minister is proposing a new database and greater information-sharing - the minister is going to have to not only rebuild security into the system, but restore people's confidence in it," said Ms Ardern
Ministry Deputy Chief Executive Marc Warner said the ministry was concerned about the breach and an urgent investigation would be carried out.
He said they were alerted to the breach yesterday.
"We took immediate steps to secure the system."
Mr Warner revealed it was not the first time there had been a security issue with public kiosks. A security issue was raised during the establishment of the kiosks, but they had been rebuilt to fix the problem.
In a statement issued to media Mr Warner said: "We have closed all kiosks in all sites across the country to ensure no further information can be accessed. They will not be reopened unless, and until we can guarantee they are completely secure and we have obtained independent assurance from security experts.
"We understand the maintenance of public confidence in our ability to protect people's information is vital.
"I want to give the public an assurance that we are doing everything possible to fix this and our people have been working overnight.
"I'm pleased Mr Ng has given an assurance that he will pass all the information to the Privacy Commissioner and has guaranteed none of the information will be given to anyone else or placed in the public arena," said Mr Warner.
- Kate Shuttleworth of APNZ
